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Abstract 

This paper reports the results of a study on reliability 
analysis of an AFTI-16 Self- Repairing Flight Control 
System (SRFCS) using software tools SURE (Semi- 
Markov Unreliability Range Evaluator) and ASSIST 
(Abstract Semi-Markov Specification Interface to the 
SURE Tool). The purpose of the study is to investi- 
gate the potential utility of the software tools in the 
ongoing effort of the NASA Aviation Safety Program, 
where the class of systems must be extended beyond 
the originally intended serving class of electronic dig- 
ital processors. The study concludes that SURE and 
ASSIST are applicable to reliability analysis of flight 
control systems. They are especially efficient for sen- 
sitivity analysis that quantifies the dependence of sys- 
tem reliability on model parameters. The study also 
confirms an earlier finding on the dominant role of a 
parameter called a failure coverage. The paper will re- 
mark on issues related to the improvement of coverage 
and the optimization of redundancy level. 

1 Introduction 

In 1997. the Clinton administration issued a national 
goal to reduce the aircraft fatal accident rate by 80% 
in 10 years. In response to this challenge. NASA estab- 
lished the Aviation Safety Program. The single aircraft 
accident prevention project is one of the six project ar- 
eas under this program. Technologies being developed 
under the single aircraft accident prevention project in- 
clude vehicle health management technologies, control 
upset prevention &: recovery technologies, and system 
validation & verification (V&V) technologies. This pa- 
per addresses the reliability analysis aspect of the val- 
idation k. verification technologies. Other aspects of 
the technologies include simulation- based and experi- 
mental V&V methods. Methods for system validation 
and verification are essential to commercialization of 
new safety enhancement technologies due to certifica- 
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tion requirements. The redcar is referred to Belcastro 
and Belcastro 1 for an overview of the single aircraft 
accident prevention project and relevant technologies. 

In add i ion to providing tools for system validation and 
verification, reliability analysis also helps identify needs 
and specify goals in aviation safety. It serves to offer 
guidelines for integrated system design as well. 

SURE1* was developed at NASA Langley in response 
to growing size and complexity of fault-tolerant digital 
systems and the resulting intractable reliability analy- 
sis. Ti c original version of SURE runs on VMS and 
UNIX operating systems. A more recent update allows 
the program to run on Windows. In principle, the relia- 
bility o ‘ any fault tolerant system with a failure process 
described by a Markov model 5 can be computed using 
SURE. However, the process of delineating all of the 
states and transitions can be dcvastatinglv tedious and 
error-p one. ASSIST 2 was then developed as an ab- 
stract model definition language which specifies a set 
of rule*? for generating large Markov models automati- 
cally with a small number of statements. This tool has 
also boon modified recently to run on Windows. 

SURE is based on a mathematical theorem developed 
by White 7 for computing the reliability of a fault tol- 
erant system. Two characteristics of a fault tolerant 
system have made the task of reliability assessment 
difficult 3 * . They arc that the use of sophisticated re- 
configuration strategies has resulted in complex mod- 
els, and that system recovery is many orders of mag- 
nitude faster than the fault arrival process, which can 
cause rapid growth in the error terms in numerical in- 
tegration errors. The mathematical theorem for SURE 
overcomes both difficulties. This makes it a strong can- 
didate for being used as a tool for the aviation safety 
program where the required system failure probability 
is in the order of 10 -9 . 

A key to enable the application of SURE to a fault tol- 
erant control system is the coverage modeling 9 . A for- 
mal definition of coverage was introduced in [4] for use 
as a parameter to reflect the ability of digital proces- 
sors to automatically recover from the occurrence of a 
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fault during a normal system operation: 

coverage = probability {system re cover s\ fault occurs). 

A fault tolerant flight control system is more than a 
digital system in many ways. It has both digital and 
analog components, and it uses both hardware and an- 
alytic redundancy. 

Schemes used for managing the analytic redundancy 
in a complex control system involve considerable more 
risks than schemes used for managing the direct redun- 
dancy such as majority voting. This is because decision 
making is often based on residual signals formed by the 
differences between noisy measurements and calculated 
values of output variables based on inaccurate models. 
Decision errors can be associated with uncertainties on 
whether there is a subsystem failure, which subsystem 
has failed, how severe is its effect, whether it is neces- 
sary to take a corrective action, which actions to take. 
In addition, the question on whether there is adequate 
control relevant redundancy and authority to allow re- 
covery from the effect the failure 1 becomes more diffi- 
cult to answer. The dynamic and closed-loop nature, 
common to all control systems, is the source for addi- 
tional difficulties, such as temporary mask of the effect 
of subsystem failures, the vagueness in the definition 
of a system level failure in the context of control per- 
formance, and the sometimes significant processing re- 
quirement in supporting the redundancy management. 
Coverage in this context has been shown be highly sce- 
nario dependent, highly time dependent, and difficult 
to model 9 - 10 . 

The notion of coverage was used in [8] for a AFTI- 
16 SRFCS that has mixed components and both types 
of redundancy to account for decision risks mentioned 
above, for which a direct Markov modeling and a re- 
liability analysis were performed without the aid of 
any software tools. The task took many months to 
complete. This paper reports the results of reliability 
and sensitivity analyses for the same system but us- 
ing SURE and ASSIST. Some new insights on the role 
of coverage in fault tolerant control systems arc also 
presented. 

The paper is organized as follows. The reliability model 
of a self-repairing flight control system for an AFTI-16 
aircraft is described in Section 2. Results of reliabil- 
ity and sensitivity analysis are presented in Section 3. 
Conclusions drawn from the analysis are summarized 
in Section 4. Section 5 lists the references. Section 6 
provides a sample program using in ASSIST for Markov 
model building. 

2 Reliability model of AFTI-16 SRFCS 

The upper block diagram in Fig. 1 shows the depen- 
dency of functional modules in a AFTI-16 SRFCS. The 


first four blocks arc a computer power supply block, 
an I/O control module block, a pilot command sen- 
sor blo:k, and an aircraft state sensor block, all in 
quadru olex redundant architecture. These are followed 
by a p tch & roll effector block, and a yaw effector 
block. The lower block diagram of Fig.l shows the 
functional dependencies of subsystems in the pitch- 
roll-axis control effector block and the yaw-axis control 
effector block. The lower diagram reflects the avail- 
able redundant control authorities in the system and 
the extent such redundancy is utilized for subsystem 
failure recovery. Therefore our reliability analysis is 
focused on the lower block only. Each effector chan- 
nel in this block contains an actuator subsystem which 
is preceded by a group of three or four active identi- 
cal com pu ter / effector (C/E) interface subsystems, then 
followed by a control surface. Every computer/cffector 
interface subsystem blocks is of n-plex architecture 
(group of n active identical subsystems). The func- 
tional dependency of the fault tolerant flight control 
system altogether is described by a two-layer parallcl- 
to-scrics interconnection scheme. For a full account of 
the reliability model for SRFCS, the reader is referred 
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Fig.l Subsystem functional dependency for AFTI-16 
SRFCS 

The reliability indicator used in the following discus- 
sion is the probability of loss of control denoted by 
P LO c • Ploc estimates the system compliance with 
applies blc safe ty-of- flight criterion and provides an in- 
dication of the impact of added or reduced hardware 
redundancy as well as the flight control system reconfig- 
uration capability. Each small box in Fig.l represents 
a subsystem. The symbols A, (* — 1. 2, 3), shown 
in the small boxes arc the subsystem failure rates in 
terms )f failures per hour. Under the assumption of 
low subsystem failure rates and short mission time, 
constant failure rates (exponential distribution) arc ap- 
propriate. The safety requirement for the inner layer 
parallel configuration (the n-plex computer/ effector in- 
terface subsystem) is 1-out-of-n (fail-opcrational/fail- 
operat onal/loss-of-control, for example, in the 3-plex 
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case). The safety requirement for the outer layer paral- 
lel configuration in the pitch-roll effector channels is 3- 
out-of-4 (fail-operational/loss-of-control). This means 
that the three remaining effector channels in this block 
must work in concert to accommodate a failure in one 
effector channel. The safety requirement for the outer 
layer parallel configuration in the yaw effector channels 
is l-out-of-2 (fail-opcrational/loss-of-control). 

The redundancy architecture shown in Fig.l does not 
truly reflect how effector channel hardware is config- 
ured. It must be understood as an effective redun- 
dancy configuration which assumes that any anomaly 
in an effector channel serious enough to warrant a con- 
trol adaptation or reconfiguration action for failure ac- 
commodation can do so promptly and successfully. In 
reality, however, due to uncertainties in the model of 
the system to be controlled, uncertainties in the mod- 
els of signals exerted on the system, and the limited 
processing capability, considerable risks exist in mak- 
ing a decision on the corrective action. These decision 
risks must be taken into consideration in reliability as- 
sessment. The risks encountered may include overly 
slow or severe transients, false alarm, missed detection, 
false identification, false reconfiguration, and lack or 
exhaustion of redundancy. The notion of coverage is 
now used to account for such risks. It represents an 
attempt to separate the handling of failures from the 
occurrence of failures. Once a decision is made how- 
ever, the process of removing a subsystem or reconfig- 
uring the system is generally involved. This process, 
though fast in comparison with a failure process, still 
takes time, and has been shown to be generally non- 
cxponentially distributed 3 . Including this process in a 
reliability model implies the creation of a numerically 
stiff problem. SURE is designed to specifically solve 
the stiff problem. 

We now' present the data used for the reliability analy- 
sis. Table 1 gives the values of coverage, and Table 
2 gives the values of failure rates, recovery rates and 
variances, and mission time. 
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C/E subsystem failure rate 

Ai = 

70 x 10 -6 

hour -1 

Actuator failure rate 

A 2 - 

0.5 x 10 -6 

hour -1 

Surface failure rate 

A3 = 

IQ' 6 - 10“ 4 

hour -1 

Mean time to recover 

/u = 

l 

0 

1 

hours 

Variance of time to recover 


0 ~ 10- 4 

hours 

Mission time 

T == 

to 11 ~ 10 1 

hours 


The above table reflects the two common characteris- 
tics of highly reliable fault tolerant systems: details due 
to small failure probabilities cannot be arbitrarily ig- 
nored. and recovery process is much faster than failure 
process 

3 Reliability and sensitivity analysis 

This section performs reliability analysis for the AFTI- 
16 SRFCS using ASSIST and SURE. Since SURE al- 
lows a oarameter of the model to vary over a range of 
values, it therefore easily provides results of sensitiv- 
ity with respect to the parameter. The largest data 
uncertainties arc the mission time, the recovery time 
distribution, the failure rate and the coverage values 
associated w r ith the control surfaces. These will be 
selected as variables or parameters in the sensitivity 
analysis. Also of interest is the level of redundancy 
in the < omputcr/effector interface which w r ould impact 
hardware addition/reduction involving servo electron- 
ics, DEM coils, LVDTs, power supplies, etc. 

One of t he most important original goals 8 of reliability 
analysis for AFTI-16 SRFCS is to determine whether 
a probability of loss of control at 10*' can be achieved 
with the use of aerodynamical ly redundant surfaces 
without added hardware. The main goal here how- 
ever is focused on applicability of SURE and ASSIST 
to systems that arc targeted for enhanced reliability 
in the iviation safety program. Therefore, no special 
effort will be made to justify the numerical numbers 
of the data based on which our computation is carried 
out, though the numbers used arc reasonably close to 
the values in practice. 

The major assumptions used in the following failure 
probability computation arc as follows: 

(a) the failure probability of any given subsystem is 
I - e‘ w where A is the constant failure rate of that 
subsystem; 

(b) a fiilure in any subsystem is independent of that 
in all other subsystems: 

(c) redundancy management restores the system op- 
eration wuth a certain coverage following a subsystem 
failure (caused by decision errors, delays in redundancy 
management, and the exhaustion of redundancy as a 
special case); 

(d) an uncovered subsystem failure leads to the system 
failure: 

(e) a covered subsystem failure obeys a recovery time 
distribution wflth mean time /i and variance <r 2 (caused 
by transients following a restructure, such as the re- 
moval of a failed component, or the reconfiguration of 
a conti ol law): 

(f) all rates of recovery arc orders of magnitude faster 
than rates of subsystem failures. 


Table 2 


The rationales for the assumptions are now given. 



Assumption (a) is appropriate for highly reliable sub- 
systems performing short missions based on the argu- 
ment that a process with a nonconstant failure rate can 
be approximated by a process with a piecewise constant 
rate a to desired accuracy in any given finite interval’ 1 . 
A reliability assessment task becomes more tractable 
with a constant rate Markov model. 

Assumption (b) is made based on the fact that a reli- 
ability model that contains common-mode failures can 
be, in general, recasted with altered redundancy con- 
figuration and altered reliability requirements into one 
containing only independent subsvst ems. 

Assumption (c) concerns the use of coverage. Since re- 
dundancy management decisions are made based on 
processed measurements, coverage is usually an in- 
creasing function of time, and therefore a dynamic 
parameter 10 . Coverage used for reliability assessment 
is the value at the onset of a corrective action that fol- 
lows a redundancy management decision. This value is 
called a static coverage value. Its eifect on the overall 
system reliability can be examined through numerical 
means by varying the static coverage value. The case of 
exhaustion of redundancy can be regarded as a special 
case of zero coverage. Assumption (d) bc;ow is where 
this case is reflectcd. 

Corresponding to each failure scenario, there is a criti- 
cal clearance time t c at which a corrective action must 
be taken. Critical clearance time is described in Khalil 6 
for the scenario of a short circuit in a nonlinear electri- 
cal network to introduce the conce pt of region of attrac- 
tion. The scenario is retold here to rationalize the need 
to separately list assumptions (d) and (e). Suppose the 
short circuit has caused a subsystem failure that re- 
sulted in a departure of the network states’ trajectory 
from the pre-failure asymptotically stable equilibrium. 
Suppose the system is recoverable through control re- 
configuration and based on the post- failure dynamics a 
new T equilibrium can be established. Then critical clear- 
ance time is the maximum period allowed between the 
occurrence of the failure and the establishment of the 
new equilibrium, during which the departing trajectory 
from the old equilibrium still stays within the region of 
attraction of the new equilibrium. In this case, it is a 
matter of time the new' equilibrium will be reached. As- 
sumption (d) above addresses failures as consequences 
of a prolonged control reconfiguration decision beyond 
the critical clearance time, or the establishment of an 
incorrect new equilibrium that is out of reach of the 
current state. While assumption (e) addresses the re- 
covery process where the trajectory is already within 
the new region of attraction but is still racing with 
other failure processes to reach its final dcstination- 
the new equilibrium. 

There arc two commonly shared features of highly reli- 
able systems. One is the use of complex redundancy 
management strategics, especially when analytic re- 
dundancy is involved. The second feature is stated in 


assumption (f). i.c., average rate of system recovery 
through redundancy management is nonzero but many 
orders of magnitude faster than the average rate of 
fault arrival. Because of the much faster recovery rate, 
constant rate assumption as given in (a) is no longer 
appropriate. Theory for accurate reliability prediction 
has been developed 7 to address the issue that uses only 
the me ms and the variances of recovery times, which 
can be acquired empirically. 

The S IFCS under consideration has six cascaded 
blocks. If the ith block has a failure probability 
Ploc (0, the composite failure probability is given by 
i-rfUe-^oc ( t )}. Since the first four blocks arc 
simple juadruplcx blocks for which no major uncertain- 
ties are present and no further configuration changes 
are being considered, only the result of composite fail- 
ure probability of the two effector blocks is presented. 
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Fig.2 AFTI-16 SRFCS Ploc v.s. A 3 with varying C/E 
redundancy level 
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Fig.3 AFTI-16 SRFCS Ploc v.s. c 3 with varying mis- 
sion time 

The two figures above depict the failure probability of 
the effector blocks as well as its sensitivity wdth re- 
spect to variations of four parameters, v/hich arc mis- 




sion time, surface damage rate, surface damage cov- 
erage, and redundancy level of t ho computer/cffcctor 
interface subsystem. Most observat ions from these two 
Figures are consistent with our intuitions. There are, 
however, exceptions. The most notable from Fig. 2 is 
that the Ploc corresponding to a quadruples C/E con- 
figuration is not any better than t hat corresponding to 
a triplex configuration. This seemingly elusive prop- 
erty can be shown to attribute to the imperfection of 
coverage (< 1). Moreover, the effect of variation of re- 
covery rates is not observable in the computation for 
the prescribed range, which, toge ther with the elusive 
property regarding the redundancy level, have been re- 
cently confirmed by theory 2 3 4 * * * * 9 . Also from the vastly dif- 
ferent dynamic range between Fig. 3 and Fig. 2, it can be 
observed that Ploc is much more 1 sensitive to coverage 
than to other variables. In particular, improvement in 
coverage, even by a small percentage, say 1% (from .99 
to .999). could reduce the system failure probability by 
an order of magnitude. 

The ASSIST program used to generate the SURE pro- 
gram (Markov model) for the failure probability calcu- 
lation in the yaw-axis block is given in the Appendix. 
This sample program ignores the recovery time. The 
generated SURE program contains many thousands of 
states and therefore is too large to be included in the 
paper. 

4 Summary of results 

ASSIST and SURE arc used to evaluate the probability 
of loss of control of a AFTI-16 SR FCS, as well as the 
sensitivity of the probability with respect to some of 
the model parameters. For the prescribed data range, 
the following observations have been made. 

1. Ploc increases approximately linearly as mission 
time increases. 

2. Ploc increases approximately linearly as surface 
failure rate increases. This calls for more reliable 
subsystems. 

3. Ploc increases approximately linearly as the 
complementary coverage (1 — c) of a surface dam- 
age increases. Since the value of coverage is gen- 
erally very close to one, the effect, of coverage on 
Ploc is significant. This calls for a focused effort 
on the development more optimized decision and 
control algorithms for better redundancy man- 
agement. 

4. Ploc is minimized at an appropriate redundancy 

level, more specifically in this case study, at the 

triplex level. This is due to the fact that coverage 

of failures is not perfect. 

5* Ploc is unaffected by the recovery rate for the 

range specified in Table 2. Therefore, the mean 


recovery time can be set to zero in the probability 
evaluation. This results in a significant simplifi- 
cation of the problcm-from a semi-Markov model 
to a homogeneous Markov model. 

It can be shown analytically that the approximate lin- 
ear relationship between Ploc and the parameters, as 
well as the independence of Ploc from the recovery 
rates begin to falter when I —c » XT no longer holds 9 . 
On the other hand, as long as 1 — c » XT holds, 
one can obtain very accurate system failure probabil- 
ity estimation using some approximations that reveal 
in analytic forms the above observations. 

In sum nary, SURE is capable of handling complex re- 
configuration strategies with simple reliability models. 
It prov ties sufficient accuracy for disparate failure and 
recovery processes encountered in fault tolerant control 
systems in aviation. It has the flexibility to allow' in- 
corporation of decision risk factors. It therefore is a 
suitable reliability analysis tool for the aviation safety 
program. However, the use of ASSIST and SURE re- 
quires a thorough understanding of failure and recov- 
ery processes, and therefore adequate background in 
reliability theory and Markov process is needed for the 
potential user. This is w T hen accurate and efficient tools 
such as SURE become absolutely indispensable. 

The major challenge in reliability analysis of flight crit- 
ical systems lies wfith the fact that test data crucial to 
reliability study but sensitive from market-competition 
and Liability viewpoints are difficult to obtain, while 
rare accident data alone are not statistically signifi- 
cant. It is important to understand that most data 
required by SURE are obtained through statistical 
means. Therefore, our reliability estimates can only 
infer from failure data to the general population and 
say very little concerning an individual system. A re- 
liability model so developed displays a pattern only 
over a large number of failures. Nevertheless, such re- 
liability analysis provides very important information 
on wduthcr subsystems arc well designed and properly 
configvrcd into an overall system. 
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6 Appendix 

A sample ASSIST program is given here, which is used 
to build the Markov model for failure probability cal- 
culation in the yaw block. 

{* Markov model generation for AFT1-16 SIIFCS yaw axes*) 

(* Failure rates and coverages *) 

LI— 7.0E-5: (* subsystem failure rate for EC interface block (3-plex)*) 
LA=0.5E-b; (* subsystem failure rate loi actuator block (1-plex 
block) *) 

LS=lE-6; (* subsystem failure rate for surface block (1-plex block)*) 
CI01=0.99992; (* coverage for the 1st failure in block I *) 
0112=0.9999: (* coverage for the 2nd failuie in block I *) 
0123=0.99; (* coverage for the 3rd failure in block I *) 

0134=0.89; (* coverage for the 4th failure in block I *) 

CA01=0 99; (* coverage for the failure in block A *) 

(* Input to SURE for coverage variation *) 

"DELTA = 0.0 TO+ 1.0:'’ (* Delta times the coverage range = step 
size * ) 

*’ POINTS = 11;" 

*’ CS01 =0.894- DELTA *(0.995-0. 89):" (* C801 ranges from 0.99 to 1.0 
*) 

(* State space definition. (Array of four identical channels)*) 
SPACE=(NWI: ARRAYjl..3] OF 0..3, (* NW1: Number of operative 
subsystems in block 1 *) 

NFI: ARRAY[1..3j OF 0..3, (* NFI: Number of inoperative subsys- 
tems in block I *) 

NL1: ARRAY[1..3] OF 0..1, (* NUI: Flag uncovered failures in block 
A when NUI = 1 *) 

NWA: ARRAY[1..3] OF 0..1, (* NWA: Number of operative subsys- 
tems in block A *) 

NFA: ARRAY[ 1.. 3 ] OF 0..1, (* NFA: Number of inoperative subsys- 
tems in block A *) 

NWS: ARRAY[1..3| OF 0..1, (* NWS: N imber of operative subsys- 
tems in block S *) 

NFS: ARRAY[1..3| OF 0 .1); (* NFS: Number of inoperative subsys- 
tems in block S *) 

(* Initial state definition *) 

START = (3 OF 3, 3 OF 0. 3 OF 0, 3 OF 1.3 OF 0, 3 OF 1,3 OF 
0 ); 

(* NWl(Ij=3. NF1[I]=0, NUI[1]=0. NWAflj= L NFA[I]=0, NWS[I]=1. 
NFS[I]=0, 1=1. 2, 3. 3 *) 


(* Death state definition by tiefining mini mum cut sets *) 
DEATH!!*' ( N Ul( 1 ) + NUI[2j + N LI[3] >= 1 ) (* any uncovered failures 

*> 

OR (NFI lj+NFI[3l>5) 

OR (NFI 2j+NFI[3|>5) 

OR (NFA[1| + NF1[3]>3) 

OR (NF,M2| + NFI[3]>3) 

OR (NFSfl|+NFI[3]>3) 

OR (NFS(2j + NFI|3]>3); 

DEATH! * (NFI[11 + NFS[3J>3) 

OR (NFI lj + NFA[3|>3) 

OR (NFI ,2]+NFS(3]>3) 

OR (NFI 2j+NFA[3]>3) 

OR (NFS[l| + NFA[3j>L) 

OR (N VA [1] + NFA[3|>1): 

DEATH IF (NFA[1|+NFS[3]>1) 

OR (NFS [2] + NFA [3] > 1 ) 

OR (NFA [2]-f NFA(3]> 1) 

OR ( N F A [2] + N FS [ 3] > 1 ) 

OR (NK5[1] + NFS[3]>1) 

OR (NFf [2| + NFS[3]>1); 

(* State ransitioiis in channel I, 1=1, 2, 3 *) 

FOR I IN fl.,3]: 

IF ( NFA [L] =0) AND (NFS[1]=0) AND (NF1[1] = 0) THEN (* 1st fail- 
ure in block 1 *) 

TRANTO NWI(I|=NWI[I| - 1 , NF1(I]=NFI(I|F1 . NL1|I]=0 BY 
NW1[I|*1 I * C 1 0 1 ; (* covered *) 

TRANTO NWl[l] = NWI[l]-l f NFI[l] = NFl[l] + l , NL1|!] = 1 BY 
NWI[I]*I 1*( 1-CI01); (* uncovered *) 

ENDIF; 

IF (NFA 1 11=0) AND (NFS[I]=0) AND (NFI [11 = 1 ) THEN (* 2nd fail 
ure in block I *) 

TRANTO NWI[l]=NWI[[]-t . NFI[I] = NFI[l] + 1 , NUI(I]=0 BY 

NWI[I|*M*CI12; {* covered*) 

TRANTO NW1(I] = NWI[I|- 1 , NFI[l] = NFI|I] + l , NLI[I]=1 BY 

NW1[I] *LI*( 1-CI12); (* uncovered *) 

ENDIF: 

IF (NFA I] =0) AND (NFS[1)=0) AND (NFI|I] = 2) THEN (* 3rd fail- 
ure in block A *) 

TRANTO NWI[I|=NWI[1]-1 . NFI[I] = NFI[I] + 1 . NLT[I]=0 BY 

N WI[1]*L1*C123; (* covered*) 

TRANTO NWI[I]=NWI[I]-1 , NFIfl] =N F 1(1] -h 1 , NUI(1| = 1 BY 

NWI[lj*LI*{ 1-CI23) ; (* uncovered *) 

ENDIF: 

IF (NWA[I] = 1) AND (N WS[I] >0) AND (NW1[I]>0) THEN (* Fail- 
ure in black A *) 

TRANTO NL’I[I|=0, NWA[l| = NWAjI]-l , NFA[I] = NFA[I]+ 1 BY 

NWA[I] *L A*CAU1 ; {* covered*) 

TRANTO NUI[I] = 1 , NWA[I]=NWA[Ij-l . NFA[I]=NFA[I] + 1 BY 

N WA[I] *LA*(1-C A01): (* uncovered *) 

ENDIF 

IF ( NWa [ 1 1 >0) AND (NWS[I] = 1) AND (NWI[I]>0) THEN {* Fail- 
ure in block S *) 

TRAN TO NUI(l]=0. NWS[I]=NWS[Ij-l , NFS[I] = NFS{I]+ 1 BY 

NWS[[)*LS*CS01; (* covered*) 

TRANTO NUI [I) = l, NWS[I]=NWS[I|-1 , NFS[I]=NFS[I] + 1 BY 

NWS[I] *LS*( 1-CS01): (* uncovered *) 

ENDIF: 

ENDFO L 
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